[Date Prev][Date Next] [Chronological] [Thread] [Top]

how to tell client to use ssf=256 instead of ssf=128



Hello,

I'm using openldap 2.4.28 on ubuntu server and configured TLS.
I want to allow write operations only when ssf=256 is used. (security update_ssf=256)
Certificates were set up with openssl CA.pl.

When I connect via
# ldapadd -Y EXTERNAL -ZZ -f /src/test.ldif

I get this:
SASL/EXTERNAL authentication started
SASL username: cn=ldapadmin,.............
SASL SSF: 0
adding new entry "dc=example,dc=com"
ldap_add: Confidentiality required (13)
	additional info: stronger confidentiality required for update

the log says:
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 ACCEPT from IP=127.0.0.1:56698 (IP=0.0.0.0:389) Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 op=0 STARTTLS
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=0 RESULT oid= err=0 text= Oct 8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 TLS established tls_ssf=128 ssf=128
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND dn="" method=163
Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND authcid="cn=ldapadmin,........." authzid="cn=ldapadmin,........" Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 BIND dn="cn=ldapadmin,......." mech=EXTERNAL sasl_ssf=0 ssf=128 Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=1 RESULT tag=97 err=0 text= Oct 8 19:38:14 ldap slapd[2205]: connection_input: conn=1003 deferring operation: binding Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=2 ADD dn="dc=example,dc=com" Oct 8 19:38:14 ldap slapd[2205]: conn=1003 op=2 RESULT tag=105 err=13 text=stronger confidentiality required for update
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 op=3 UNBIND
Oct  8 19:38:14 ldap slapd[2205]: conn=1003 fd=13 closed

1. Why is the client connecting with ssf=128?
2. Can I influence the ssf used by client, if yes, how?
3. Maybe a certificate issue?

Thanks in advance,
Tobias Hachmer